February 06, 2011

The FTC Privacy Report, “Do Not Track” Options and Web Analytics

I think it’s easy to get distracted by the rhetoric, opportunism and mis-information that accompanies a “hot button” issue like the release of The FTC Privacy Report. No sooner did the report hit the streets than the concept of “Do Not Track” became the big headline. That the FTC intended the report to be more of a brainstorming document than policy, with the final draft to be written after the public comment period ends was lost on many, as was their discussion about first party marketing, contextual advertising and “commonly accepted practices.” (See my 12/9/10 summary of the major points)

Knowing that the report was coming down the pike and pumped up by veiled threats of regulation by the FTC Chairman at the release of the report, it was only a matter of time for the Web browser triumvirate - Google, Mozilla, Microsoft – to show that they are good citizens and trot out their DNT solutions. Microsoft announced their DNT solution the day after the report was released. Google and Mozilla announced their solutions a few weeks ago.

As in many things having to do with the Internet, there’s a predilection to complicate rather than simplify, exaggerate rather than plainly-speak and obfuscate rather than be transparent…and the current solutions being offered by the Web browser triumvirate are no exception. Sure, the sole object of the exercise is not consumer choice; it is to balance choice with pacifying/mollifying/currying favor with the FTC and providing advertisers with the data and technical framework they need to make Internet advertising a high value marketing channel.

So, with all of this as a back drop, my colleague, Breen Baker, and I decided to take a closer look at these options from both the perspective of consumer privacy and web analytics:

1. Mozilla (Firefox)

In its current beta release of Firefox 4, Mozilla is extending its current Tool settings to allow users to indicate whether they want to be tracked or not by the site they are visiting. Once this is enabled, the opt-out is communicated in a new header to the web server. This information could be passed in a JavaScript variable and tell the site to serve the cookie; it could theoretically also be communicated to a third party server used by the domain, such as those that are used for handling site registration. The big drawback here is that the header is only acting as the messenger; in effect this is really only half way to a complete solution.

Privacy Grade: D

This solution offers a persistent, flexible approach, but is years away from becoming useful. As it currently is designed the way this works from a user perspective is very similar to how you’d currently opt out. It is more persistent than cookie solutions because it provides for permanent storage of the user preferences. The down side is that the details of transferring user preferences and configuring systems to respond are not nearly close to being worked out.

Analytics Grade: B

We think it will be too much effort for most users to go through the trouble of dealing with their opt-out preferences; just as it is now. If users don’t do anything they will be considered opt-in.

2. Google (Chrome)

Google has proposed a new extension to its browser called ‘Keep My Opt-Outs’ which uses a blacklist for online advertisers and direct marketers. The extension provides users with the ability to opt out of being tracked by anyone on their list, which is currently focused on US based online ad companies (Google plans on including the same functionality for European and international companies soon). As it is currently, all you can do is opt-out of all the companies that are a part of the list; it is an all or nothing option. Interesting to us because this is similar tactic on how users may also opt-out of being tracked by Google Analytics, an option I reviewed when it was released in June, 2010. The upside to this new extension is that the setting will persist through multiple browser sessions; the downside is that there is no middle ground. Users will not have the ability to allow certain online advertisers while blocking the rest (although they state that level of granularity will come soon). Additionally, maintenance of this list would be in the hands of Google or some other regulatory or industry group. The conflict of interest opportunities and regulatory challenges that come out of this arrangement will fund a new fleet of yachts purchased by the Washington lawyers and lobbyists feasting on this deal.

Privacy Grade: D

The solution itself is persistent, but is currently incomplete and inflexible. Future enhancements however look promising. Additionally, users will have to seek out the feature and then download a plug in…something that most visitors probably won’t know how to or be comfortable doing. Additionally, you can bet that there will be an increasing number of extensions available with DNT capabilities (there are already a few), further confusing site users and leading many to not bother using these settings at all.

Analytics Grade: B

Like the Mozilla option, the level of effort to set the plug in is likely more than most users want to do. In its current form, this should have little impact on Web analytics.

3. Microsoft (Internet Explorer)

Microsoft’s method of dealing with this issue is more flexible, or more confusing than its competitors from a consumer perspective. Microsoft’s intends IE9 to include both an ‘Opt-In’ option for users as well as a set of opt-out lists in its Tracking Protection feature. It is somewhat similar to the Google Chrome solution, but for one significant difference, you can de-select marketing organizations whose advertising you’d like to see. Where the concept starts to fray from our perspective is in the development of these lists. Anyone can develop a list and provide it for others to use. Envision hundreds of lists that one can choose from. We envision a nice little cottage industry of list consultants who tailor one just for your needs or someone who can vet lists and make recommendations.

Privacy Grade: C-

Sounds good on paper, but the use of the solution by many could be a stretch. If it does catch on, this would create the greatest level of privacy and user control of the three browsers and would also enable the user to see the benefit of being tracked by entering into an agreement with the site itself. The upside to this is that marketing is more targeted and efficient, sending offers only to prospects with a high conversion rate.

Analytics Grade: B-

Like the Mozilla and Chrome options, the level of effort to set list options could be too many and too confusing with only savvy users spending the time to opt-in or out, thereby having little influence on data collection

What We Have Here, Is a Failure to Communicate

In our opinion, none of these solutions provide the “Do Not Track” functionality Holy Grail. What we see so far are companies who are trying to solve the problem with imperfect technology rather than consider a communications, design and user interface strategy that might have greater odds for success at a much lower cost and overall market impact.

For example, in Firefox why not simply add a label to the browser header called “Privacy” and have that go to the Privacy settings that are hidden in the Tools tab? Or in IE, call it “Privacy” instead of “Safety”? Or follow the paradigm of ‘Permission Marketing’, the default would keep the users data private, only exposing it after the user expressly allows it.

It seems to us that these web browser solutions fly in the face of one of the major points of the FTC Privacy Report, “Commission staff proposes that companies provide choices to consumers about their data practices in a simpler, more streamlined way than has been used in the past.”

Is It the Beginning of the End of Web Analytics as We Know It?

Maybe, if these solutions mature and become viable. However, as we’ve pointed out in our assessment, the current convoluted nature of this current crop will likely be too much work for most consumers.

For the sake of discussion, what if these solutions do become easier to use, and functionally effective? For the practice of Web Analytics, this is just another day on the job. Let’s face it; the pursuit of complete data collection has always been quixotic. Outside of ensuring that your data is being collected, there are too many factors beyond your control…proxies, bots, spiders, reliance on third party vendors to tag their sites, use of spyware, constant purging of cookies, low rates of site registration vs. anonymous visitors, and so on.

Will more folks opt out of tracking? Perhaps, but by how much? Will it really have such a huge impact? Hard to say. And ultimately, what tracking will an opt-out option target? It seems clear by the FTC language that the target is online advertisers, not websites themselves. Of course, it seems possible that browser based solutions may end up making first party marketing collateral damage.

That being said, it seems to us that the lesson here is to innovate rather than run for the exits. Our current way of thinking about how to use web analytics insights is perhaps in need of re-evaluation. Instead of bemoaning less data, what about thinking about how to do a better job of complementing web analytics data with other data sets, then test, evaluate and make decisions?

Providing more opt-out options for users increases the chances that you’ll collect less information, but isn’t it possible that these were the people who weren’t highly qualified visitors anyway? Of course, creating more convoluted ways to enable opt-out or control is also going to confuse site visitors more thoroughly than before. Now, in addition to legalese strewn privacy policies, site visitors will have a myriad number of ways to define opt out…not only from their browsers, but from ad networks, as is already the case on Yahoo Ad Networks and in line with efforts by associations such as the Digital Advertising Alliance.

Perhaps this self selection actually helps you qualify valuable visitors. And, if this is the case, then instead of spending so much time on trying to figure out what the anonymous visitors do, you focus on what the qualified visitors are doing, and in turn, what caused them to become registered. Maybe you need to offer more and better incentives to register. People will give you their information if you give them something in return. Nothing new about this, but all opt in does is force you to come up with innovative ideas to capture data.

I was disappointed with the FTC Privacy report for only tackling the issue of PII. To my knowledge, all developed countries have good data protection laws on this already. Essentially, this means, you can only store PII data with the explicit person's permission, and you must reveal this to the person concerned should they request it. See for example the UK Data Protection Act (http://en.wikipedia.org/wiki/Data_Protection_Act_1998).

What I was hoping for from the FTC, was a position on non-PII data collection. That is, collecting data that does not DIRECTLY identify the individual. I emphasise directly, because with so many data points available from an anonymous user, it is possible for an organisation to triangulate non-PII data and build up a pretty sophisticated profile of the person - ultimately identifying them.

I think (hope!) web users are pretty savvy when it comes to sharing their PII data on the web - in the same way you wouldn't share your PII with a stranger in the street.

IMO tracking individuals as "individuals" on the web (as opposed to in aggregate), even when anonymous, poses a greater privacy threat.

That may sound strange coming from an advocate of web analytics such as myself. However, if we as an industry do not sort this issue out, there is a real danger that web analytics as we know it today will disappear completely.

Most of the attention now appears to be centered on the (third-party) advertising industry, and most particularly on behavioral targeting. Even Mozilla in their FAQ (https://wiki.mozilla.org/Privacy/Jan2011_DoNotTrack_FAQ) says that their new header is meant to "...allow the user to let a website know when they would like to opt-out of third-party tracking for behavioral advertising..."

How much of an impact all this will have on web analytics is yet to be seen, but I'm a big believer that the industry should adopt standard policies (such as the WAA Code of Ethics) and also advocate to distinguish itself from advertising to diminish the risk of becoming collateral damage. For example, it would be a big mistake for browsers to treat a SiteCatalyst tag the same as a advertising tag because for most people counting their session in an aggregate report is quite different from linking it with PII or historical activity across many different websites.

Personally, I believe that Mozilla's DNT solution is the best because neither Chrome's extension nor IE9's new features address the problem of keeping up-to-date with a comprehensive list of advertisers. The latter two are just too cumbersome, while the Mozilla approach is simple and elegant while allowing for future flexibility. Although it requires compliance, I believe that all the major networks are honest and would adhere to it and you'd ultimately end up with more universal compliance than any list-based approach could offer.